Abstract: This paper employs a behavioral science perspective of airport security to, examine security related decision behaviors using exploratory ethnographic observations. Sampling employees from a broad spectrum of departments and occupations in several major airports across Europe, over 700 descriptive items are transcribed into story scripts that are analyzed. The results demonstrate that both formal and informal behavioral factors are present when security decisions are made. The repetitive patterns of behavior allowed us to develop a generic model applicable to a wide range of security related situations. What the descriptions suggest is that even within the formal regulatory administrative framework of airports, actual real-time security behaviors may deviate from rules and regulations to adapt to local situations.

There's a service that can be hired to tie up target phone lines indefinitely. The article talks about how this can be used as a diversionary tactic to mask a cyberattack, but that seems a bit odd to me. I'd be more concerned about how this sort of thing could be used to disrupt the operations of a political candidate on the eve of an election.

Yet before the demonstration could begin, the apparatus in the lecture theatre began to tap out a message. At first, it spelled out just one word repeated over and over. Then it changed into a facetious poem accusing Marconi of "diddling the public". Their demonstration had been hacked -- and this was more than 100 years before the mischief playing out on the internet today. Who was the Royal Institution hacker? How did the cheeky messages get there? And why?

...researchers there developed a system that can recognize a person by the backside when the person takes a seat. The system performs a precise measurement of the person's posterior, its contours and the way the person applies pressure on the seat. The developers say that in lab tests, the system was able to recognize people with 98 percent accuracy.

Charles Mann made me the central focus of his article on airport security for Vanity Fair. (Mann also wrote about me in 2002 for The Atlantic.) The article was supposed to have been in the tenth-anniversary-of-9/11 issue, but got delayed.

My box of galley copies arrived in the mail yesterday. They're filled with uncorrected typos, but otherwise look great. Wiley printed about 500 of them, and they're mostly going to journalists and book reviewers, with some going to different wholesale and retail outlets. I have 20 copies to give away to readers of my blog and Crypto-Gram.

Earlier this month, I asked readers to suggest methods of distribution. There were a lot of good suggestions, but one stood out:

The best way to achieve that may be by letting people hand it personally to an 'opinion leader.' Their argument for which 'opinion leader' they think is most important *and* needs to read this the most (could be someone who talks out of his ass on the subject) gives you a good selection criterium, as well as giving some people and excuse to visit an 'opinion leader.'

So that's the plan. If you want a book, you have to promise to give a book to someone else. This someone should be a person who doesn't otherwise know about me, and wouldn't otherwise know about my book. This should be someone who would enjoy my book, and who would be likely to spread the word to others. Maybe it's the CEO of the company you work for. Maybe it's someone in politics. Maybe it's just someone who influences the thinking of a lot of people. It shouldn't be someone who would just dismiss my book out of hand, or not bother reading it because he already knows what he thinks. It should be someone who will read the book, think about it, and tell others about it.

Sometime between now and Christmas Day, send an e-mail whose subject matches the subject line of this post to schneier@schneier.com. Tell me who you're going to give the book to and why. I'll randomly choose ten people from those e-mails and ask them for their physical addresses. (This way, only winners have to mail me their addresses.) I'll send each of the winners two copies of the galley: one for the winner, and the other for the winner's thought leader. If Wiley sends me more galleys to give away, I will simply choose more winners.

Of course, I have no way of verifying that the winners actually comply. Someone could keep one copy of the galley and auction the other on eBay. I can't stop that, but I will be cross if it happens. And I will number the galleys, so if I do ever see the book, I will know who did it.

Thank you to reader Jur, who suggested this method of distributing galley copies of my readers in response to my request. Jur, email me with your address and I will send you a copy of the galley.

Citing unexplained "intelligence data," an unnamed "senior intelligence official," and an anonymous "privacy security official," Bloomberg News claims that iBahn -- the company that runs Internet services for a bunch of hotel chains -- has been hacked by the Chinese. The rest of the story is pretty obvious: all sorts of private e-mails stolen, corporate networks hacked via iBahn, China does lot of hacking, and so on. iBahn has denied the story.

Come on, people. I know that China hacking stories are plausible, but the bar for actual evidence should be higher than this.

In 1997, I wrote about something called a chosen-protocol attack, where an attacker can use one protocol to break another. Here's an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number.

I have to admit this puzzles me, because I thought there was a standard for masking credit card numbers. I only ever see all digits except the final four masked.

NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonics. Light waves interact with the array of nano-scale holes on a NOtES display--which are typically 100-200 nanometers in diameter--in a way that creates what are called "surface plasmons." In the words of the company, this means light "[collects] on the films surface and creates higher than expected optical outputs by creating an electromagnetic field, called surface plasmonic resonance."

[...]

And security, surprisingly, is one of the major applications of these light-amplifying tiny holes. Compared with things like holograms, NOtES has a number of advantages. For one, the technology consists of nothing more than an array of tiny holes, which means it can literally be stamped into anything. Nanotech Security is in talks with the Bank of Canada, whose new plastic bills are a perfect candidate for security measures embedded using NOtES.

[...]

Using a physical stamp, Nanotech Security can imprint its minuscule holes into bills even after they've been printed, instantly transforming the area of the bill that's been stamped into something that resembles a tiny LED. It's just like the old-school printing process that yields embossed invitations and business cards, except that instead of pressing "save the date" into cardstock, a nickel stamp covered with nano-scale bumps presses corresponding holes into a material.

The results aren't just visually crisp, they're also good for keeping things top secret. That's because the NOtES process yields a surface that reflects light from ultraviolet all the way into the far infrared, or wavelengths outside what we can see, but which can easily be read by machines. This opens up the potential for NOtES to be used to create watermarks on bills that counterfeiters can't even see.

Anti-counterfeiting technologies have a difficult set of requirements. They need to be cheap for legitimate currency printers, and at the same time expensive for counterfeiters. That this technology can encode unique serial numbers -- or even digital signatures of unique serial numbers -- onto paper currency would be a big deal.

"The GPS navigation is the weakest point," the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran's "electronic ambush" of the highly classified US drone. "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain."

The "spoofing" technique that the Iranians used -- which took into account precise landing altitudes, as well as latitudinal and longitudinal data -- made the drone "land on its own where we wanted it to, without having to crack the remote-control signals and communications" from the US control center, says the engineer.

When you give out money based on politics, without any accounting, this is what you get:

The West Michigan Shoreline Regional Development Commission (WMSRDC) is a federal- and state-designated agency responsible for managing and administrating the homeland security program in Montcalm County and 12 other counties.

The WMSRDC recently purchased and transferred homeland security equipment to these counties -- including 13 snow cone machines at a total cost of $11,700.

Wait. It gets funnier:

"It is used to attract people so they can be educated and prepared for homeland security," Dey said from his office in Muskegon. "More importantly, they (homeland security officials) felt in a medical emergency the machine was capable of making ice packs which could be used for medical purposes."

My publisher is printing galley copies of Liars and Outliers. If anyone out there has a legitimate reason to get one, like writing book reviews for a newspaper, magazine, popular blog, etc., send me an e-mail and I'll forward your request to Wiley's PR department. I think they'll be ready in a week or so, although it might be after the new year.

Additionally, I'm going to get 10 to 20 copies that I'd like to give away to readers of this blog. I'm not sure how to do it, though. Offering copies to "the first N people who leave a comment" would discriminate based on time zone. Giving copies away randomly to commenters seems, well, too easy. The person in charge of PR at Wiley wants me to give copies away randomly to people who "like" me on Facebook or tweet about me to their friends, or do some other sort of fake distributed marketing thing, but I'm not going to do that.

So to start, I've decided to give away a free galley copy of Liars and Outliers to the person who can come up with the best way to give away free galley copies of Liars and Outliers. Leave your suggestions in comments.

Abstract: Predator effects on prey demography have traditionally been ascribed solely to direct killing in studies of population ecology and wildlife management. Predators also affect the prey's perception of predation risk, but this has not been thought to meaningfully affect prey demography. We isolated the effects of perceived predation risk in a free-living population of song sparrows by actively eliminating direct predation and used playbacks of predator calls and sounds to manipulate perceived risk. We found that the perception of predation risk alone reduced the number of offspring produced per year by 40%. Our results suggest that the perception of predation risk is itself powerful enough to affect wildlife population dynamics, and should thus be given greater consideration in vertebrate conservation and management.

Al Qaeda is sewing bombs into people. Actually, not really. This is an "aspirational" terrorist threat, which basically means that someone mentioned it while drunk in a bar somewhere. Of course, that won't stop the DHS from trying to terrorize people with the idea and the security-industrial complex from selling us an expensive "solution" to reduce our fears.

Wired: "So: a disruptive, potentially expensive panic based on a wild aspirational scheme? Actually, that sounds a lot like al-Qaida. And the TSA."

This article on airplane security says many of the same things I've been saying for years:

Given the breadth and complexity of threats to commercial aviation, those who criticize the TSA and other aviation security regulatory agencies for reactive policies and overly narrow focus appear to have substantial grounding. Three particularly serious charges can be levied against the TSA: it overemphasizes defending against specific attack vectors (such as hijackings or passenger-borne IEDs) at the expense of others (such as insider threats or attacks on airports); it overemphasizes securing U.S. airports while failing to acknowledge the significantly greater threat posed to flights arriving or departing from foreign airports; and it has failed to be transparent with the American people that certain threats are either extremely difficult or beyond the TSA's ability to control. Furthermore, the adoption of cumbersome aviation security measures in the wake of failed attacks entails a financial burden on both governments and the airline industry, which has not gone unnoticed by jihadist propagandists and strategists. While the U.S. government has spent some $56 billion on aviation security measures since 9/11, AQAP prominently noted that its 2010 cargo plot cost a total of $4,900.

Brandt says aviation security needs a fundamental overhaul. Not only is the aviation industry failing to keep up with the new terrorist tactics, TSA's regimen of scanning and groping is causing a public backlash. "From the public's perspective, this kind of refocusing would reduce the amount of screening they have to put up with in the United States," Brandt tells Danger Room, "and refocus it where it's needed."

[...]

None of this is going to be easy, or cheap. Brandt proposes that the government subsidize airlines for better employee background checks or explosives detection tech. But that's could strike taxpayers as a bailout.

On the other hand, he and Pistole actually share the same headspace, so it's possible that TSA will buy his overall critique. "The best defense is still developing solid intelligence on terrorist groups interested in targeting aviation," Brandt says. Beats treating us all like terrorists.

Iran has captured a U.S. surveillance drone. No one is sure how it happened. Looking at the pictures of the drone, it wasn't shot down and it didn't crash. The various fail-safe mechanisms on the drone seem to have failed; otherwise, it would have returned home. The U.S. claims that it was a simple "malfunction," but that doesn't make a whole lot of sense.

The Iranians claim they used "electronic warfare" to capture the drone, implying that they somehow took control of it in the air and steered it to the ground. It would be a serious security design failure if they could do that. Two years ago, there was a story about al Qaeda intercepting video signals from drones. The command-and-control channel is different; I assumed that there was some pretty strong encryption protecting that.

While photography bans are pretty common, the station has decided to only ban DSLRs due to "their combination of high quality sensor and high resolution". Other cameras are allowed in, as long as they don't look "big" enough to shoot amazing photos.

"Lots of experts were skeptical that a solution could be produced at all let alone within the short time frame," said Dan Kaufman, director, DARPA Information Innovation Office. "The most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work. We are impressed by the ingenuity this type of competition elicits."

Lots of information about the contest and the winners here. This is the winning entry. And this is the original input for the challenge.

The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user's consent.

"Even when a user blocks callers or connects from behind a Network Address Translation (NAT) ­-- a common type of firewall ­-- it does not prevent the privacy risk," according to a release from NYU-Poly.

The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user's location and Internet Service Provider (ISP).

The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person's IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.

Invasive U.S. surveillance programs, either illegal like the NSA's wiretapping of AT&T phone lines or legal as authorized by the PATRIOT Act, are causing foreign companies to think twice about putting their data in U.S. cloud systems.

I think these are legitimate concerns. I don't trust the U.S. government, law or no law, not to spy on my data if it thought it was a good idea. The more interesting question is: which government should I trust instead?

Last week, I had a long conversation with Robert Lemos over an article he was writing about full disclosure. He had noticed that companies have recently been reacting more negatively to security researchers publishing vulnerabilities about their products.

The debate over full disclosure is as old as computing, and I've written about it before. Disclosing security vulnerabilities is good for security and good for society, but vendors really hate it. It results in bad press, forces them to spend money fixing vulnerabilities, and comes out of nowhere. Over the past decade or so, we've had an uneasy truce between security researchers and product vendors. That truce seems to be breaking down.

Lemos believes the problem is that because today's research targets aren't traditional computer companies -- they're phone companies, or embedded system companies, or whatnot -- they're not aware of the history of the debate or the truce, and are responding more viscerally. For example, Carrier IQ threatened legal action against the researcher that outed it, and only backed down after the EFF got involved. I am reminded of the reaction of locksmiths to Matt Blaze's vulnerability disclosures about lock security; they thought he was evil incarnate for publicizing hundred-year-old security vulnerabilities in lock systems. And just last week, I posted about a full-disclosure debate in the virology community.

I think Lemos has put his finger on part of what's going on, but that there's more. I think that companies, both computer and non-computer, are trying to retain control over the situation. Apple's heavy-handed retaliation against researcher Charlie Miller is an example of that. On one hand, Apple should know better than to do this. On the other hand, it's acting in the best interest of its brand: the fewer researchers looking for vulnerabilities, the fewer vulnerabilities it has to deal with.

It's easy to believe that if only people wouldn't disclose problems, we could pretend they didn't exist, and everything would be better. Certainly this is the position taken by the DHS over terrorism: public information about the problem is worse than the problem itself. It's similar to Americans' willingness to give both Bush and Obama the power to arrest and indefinitely detain any American without any trial whatsoever. It largely explains the common public backlash against whistle-blowers. What we don't know can't hurt us, and what we do know will also be known by those who want to hurt us.

There's some profound psychological denial going on here, and I'm not sure of the implications of it all. It's worth paying attention to, though. Security requires transparency and disclosure, and if we willingly give that up, we're a lot less safe as a society.

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn't monitor keystrokes -- an easily refuted lie -- and threatened to sue the researcher. It took EFF getting involved to get the company to back down. (A good summary of the details is here. This is pretty good, too.)

Carrier IQ is reacting really badly here. Threatening the researcher was a panic reaction, but I think it's still clinging to the notion that it can keep the details of what it does secret, or hide behind such statements such as:

Our customers select which metrics they need to gather based on their business need--such as network planning, customer care, device performance--within the bounds of the agreement they form with their end users.

In response to some questions from PCMag, a Carrier IQ spokeswoman said "we count and summarize performance; we do not record keystrokes, capture screen shots, SMS, email, or record conversations."

"Our software does not collect the content of messages," she said.

How then does Carrier IQ explain the video posted by Trevor Eckhart, which showed an Android-based phone running Carrier IQ in the background and grabbing data like encrypted Google searches?

"While 'security researchers' have identified that we examine many aspects of a device, our software does not store or transmit what consumers view on their screen or type," the spokeswoman said. "Just because every application on your phone reads the keyboard does not make every application a key-logging application. Our software measures specific performance metrics that help operators improve the customer experience."

The spokeswoman said Carrier IQ would record the fact that a text message was sent correctly, for example, but the company "cannot record what the content of the SMS was." Similarly, Carrier IQ records where you were when a call dropped, but cannot record the conversation, and can determine which applications drain battery life but cannot capture screen shots, she said.

Several things matter here: 1) what data the CarrerIQ app collects on the handset, 2) what data the CarrerIQ app routinely transmits to the carriers, and 3) what data can the CarrierIQ app transmit to the carrier if asked. Can the carrier enable the logging of everything in response to a request from the FBI? We have no idea.

Expect this story to unfold considerably in the coming weeks. Everyone is pointing fingers of blame at everyone else, and Sen. Franken has asked the various companies involved for details.

One more detail is worth mentioning. Apple announced it no longer uses CarrierIQ in iOS5. I'm sure this means that they have their own surveillance software running, not that they're no longer conducting surveillance on their users.

It's the kind of research result thatscreamshype, but online attacks that have physical-world consequences are fundamentally a different sort of threat. I suspect we'll learn more about what's actually possible in the coming weeks.

Walls, then, are built not for security, but for a sense of security. The distinction is important, as those who commission them know very well. What a wall satisfies is not so much a material need as a mental one. Walls protect people not from barbarians, but from anxieties and fears, which can often be more terrible than the worst vandals. In this way, they are built not for those who live outside them, threatening as they may be, but for those who dwell within. In a certain sense, then, what is built is not a wall, but a state of mind.

The essay goes on to talk about the value of walls as security theater.

The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes the need for a password to be entered to read the encrypted data. Also, in some cases, doing so causes the data to be automatically destroyed. Fortunately, there are some tools forensics experts can use to gather data if it sits untouched, such as copying everything in memory to a separate disk. The team also suggests that law enforcement look first to see if the drive has been encrypted before scanning it with their own software, as doing so will likely result in a lot of wasted time.

Afteralongandhardyear, Liars and Outliers is done. I submitted the manuscript to the publisher on Nov 1, got edits back from both an outside editor and a copyeditor about a week later, spent another week integrating the comments and edits, and submitted the final manuscript to the publisher just before Thanksgiving. Now it's being laid out, and I'll have one more chance to read it and correct typos next week.

It really feels great to be done. This is the hardest book I've written, and the most ambitious. Now I have to see how it's received. I know I should be thinking about creating a talk based on the book, but I want some time away from the ideas. I'll get back to that task in January.

Meanwhile, the publisher and I have been working on the cover. We settled on the art and layout months ago, but there's the back cover copy, the inside flaps copy, the author's bio, and the blurbs. I'm really happy with the blurbs I've received, and we're deciding what goes on the front cover, what goes on the back cover, and what goes inside on the first couple of pages of the book. Much of this text will also be used at various online bookstores as well, and at my own webpage for the book. I'll post the whole cover when it's final.

After that, the publisher will create the various e-book formats. I'm not sure how the figures and tables will translate, but I'll figure it out. Publication is still scheduled for mid-February, in time for the RSA Conference in San Francisco at the end of the month. I'll be doing a short interview about my book in something called the "Author's Studio" on Wednesday, and will have a book signing at the conference bookstore sometime that week. If there is any exhibitor wanting to use my book as a conference giveaway and have me sign them, e-mail me and we'll work something out.